Can Reserve Audits Prevent Another FTX Like Incident?
Cryptocurrency exchanges are aggressively publishing audits of proof-of-reserves to increase transparency, but experts say it will take more than that to restore investor confidence.
In response to the FTX collapse, which was caused by the now-defunct cryptocurrency exchange funnelling user cash to offset its own risks, crypto exchanges developed a proof-of-reserves transparency solution.
In the lack of clear restrictions, a method recently advocated by Binance CEO Changpeng Zhao allows exchanges to provide transparency to users.
All crypto exchanges should do merkle-tree proof-of-reserves.
Banks run on fractional reserves. Crypto exchanges should not.@Binance will start to do proof-of-reserves soon. Full transparency.
Proof of reserves (PoR) is an independent audit done by a third party to verify that a custodian retains the assets it claims to hold for its customers.
This auditor generates an aggregated Merkle tree from an anonymised snapshot of all balances stored.
Merkle is a cryptographic commitment method in which each “leaf” or node is tagged with the cryptographic hash of a data block. Their primary purpose is to validate data processed, sent, or stored between computers. While the notion was created in 1979, it has found widespread use in blockchain peer-to-peer networks.
The auditor acquires a Merkle root after taking the snapshot, which is a cryptographic fingerprint that uniquely identifies the combination of these balances at the moment the snapshot was produced.
The auditor then gathers digital signatures generated by the cryptocurrency exchange that demonstrate ownership of on-chain addresses with publicly verifiable balances. The auditor then checks and validates that these balances are more than or equal to the client balances indicated in the Merkle tree, ensuring that the client’s assets are retained with a full reserve.
Five centralised exchanges (CEXs), including Kraken, Bitmex, Coinfloor, Gate.io, and HBTC, have completed their proof-of-reserve audits, while others, including Binance, OKX, KuCoin, Huobi, Poloniex, Crypto.com, Deribit, and Bitfinex, have declared similar intentions.
The PoR approach made sense and was praised by many in the cryptocurrency community as a move toward a more transparent cryptocurrency environment. Centralized exchanges are able to record the obligations of each account on a public ledger that also details the owned assets. They would be required to post with a tag that is known only to account owners, so preserving their identity.
Hassan Sheikh, co-founder of the decentralised venture capital company DAO Maker, told that Proof-of-Responsibility (PoR) gives a clear summary of liabilities that can be linked to assets. A solid PoR technique might make it very hard for exchanges to manufacture liabilities, he noted.
“If liabilities are ever faked, users can publicly raise a red flag. Even if 1% of users ever bother to verify, it’d be impossible for any CEX to which users would fall in that cautious 1%. The larger accounts would almost always verify, and the CEX could at best get away with skipping only a small fraction of small accounts before being detected.”
He added that with publicly released liabilities that retail investors can easily verify, “the asset disclosures which exchanges are making would finally make sense,” adding that the balances presented in these audits only “hold weight under the assumption liabilities are properly presented.”
Ben Sharon, co-founder of digital asset management business Illumishare SRG, told that fraudsters would attempt to imitate any audit, regardless of how trustworthy the reserves’ evidence is. He stated that a proof-of-reserves audit is still a valid method for keeping an eye on cryptocurrency exchanges, but that it is insufficient and proposed other steps, including:
“Having a separate cash reserve, an asset-backed token, or better yet, having both, in addition to a proof-of-reserves certificate would offer investors a far better solution. At the end of the day, the only solution is complete transparency. When a crypto exchange is fully transparent, users should not be afraid to trust it with their assets.”
Showing Reserves Without Obligations Is Meaningless:
While the technique of Proof-of-Residence is gaining acceptance across centralised exchanges, with many beginning to publish PoR audit data, there is still the problem of crypto platforms shifting their money immediately after the audit snapshot has been obtained.
After releasing its PoR audit, Crypto.com recently moved 280,000 ETH to Gate.io, feeding allegations that cryptocurrency exchanges may be forging their reserve audits. Numerous members of the cryptocurrency community said that exchanges were borrowing assets to portray a healthy balance sheet, only to return them immediately after the snapshot.
Kris Marszalek, the chief executive officer of Crypto.com, said that the $400 million ETH transfer was a mistake and was supposed to be transferred to another cold wallet, fueling more suspicion.
It was supposed to be a move to a new cold storage address, but was sent to a whitelisted external exchange address. We worked with Gate team and the funds were subsequently returned to our cold storage. New process and features were implemented to prevent this from reoccurring.
And while some exchanges disclose extensive analyses of their reserves during a PoR, other businesses provide just brief statements claiming to be profitable. Nexo has simply produced a one-page summary indicating that they have more assets than client deposits totaling around $3.2 billion.
Source: nexo
Philipp Zimmerer, key contributor at decentralised finance system Spool.fi, told that the primary problem is that there are no explicit guidelines for what makes a legitimate Proof-of-Reserves (PoR) audit after reviewing some of the reserves audits issued by exchanges. This implies that the technique will vary from trade to exchange. He elaborated:
“Even if implemented in the most good-faith interpretation, a proof of reserves still cannot prove exclusive ownership of private keys or detect any funds that were borrowed to manipulate the outcome of the audit. Generally, the practise is only as trustworthy as the exchange and the auditors were to begin with, and will never constitute 100% proof of anything.”
Moreover, he argued that exhibiting assets without obligations is useless. Only ones that can be “trusted to a degree are fully regulated, on-shore banking licence holders that undergo regular, complete audits from known and independent firms.” He referenced Coinbase as an example of a publicly listed company that makes its assets and liabilities public.
Zimmerman also mentioned Kraken, another United States-based exchange that conducts frequent audits and publishes and disseminates the findings to the public.
Stefan Rust, CEO of data infrastructure provider Truflation, told that based on the early implementation of Proof-of-Reserve, it appears to be a good first step; however, in order to gain more trust and greater transparency, a more prudent approach would be to examine the overall balance sheet, monitor the liabilities, and have transparency regarding the capital reserves. Not only does the corporation own reserves, but it also has exposure.
In the instance of FTX, they had divested assets and liabilities from more than 130 enterprises. The same thing occurred with WeWork and a number of other firm failures. Rust said:
“Proof of reserve is the first step. Proof of liabilities would be great, and in light of FTX, a must-have edition. Lastly, some sort of proof of incorporation or consolidation across related companies. We need to educate the market and the community on not only how to use these tools, but also the benefits of these tools. It’s important for users to understand why decentralisation is really an essential part of not only the crypto ecosystem but the future financial and Web3.”
When asked the most reliable way to keep tabs on crypto exchanges, Don Guillaume, head of PR and communications at Gate.io, told, “Regulation. Over the last few years we’ve seen positive steps across the world by regulators to ensure crypto exchanges, and really any company operating in the crypto industry, are regulated and following the rules of the law.”
Overall, the aftermath of FTX’s demise has led to demands for stronger governmental regulation of the cryptocurrency sector. While significant market participants continue to provide some sort of transparency in an effort to recover public confidence, experts feel that verification of reserves alone is insufficient.
